OGC 11-017
6
Copyright © 2007-2011 Open Geospatial Consortium
5 Conventions
5.1 Symbols and abbreviated terms
1D One Dimensional
2D Two Dimensional
3D Three Dimensional
GeoXACML Geospatial eXtensible Access Control Markup Language GeoDRM
Geospatial Digital Rights Management GeoDRM-RM Geospatial Digital Rights Management – Reference Model
GML Geography Markup Language
ISO International Organization for Standardization
OASIS Organization for the Advancement of Structured Information Standards
OGC Open Geospatial Consortium
OWS OpenGIS Web
Services PAP Policy
Administration Point
PDP Policy Decision
Point PEP Policy
Enforcement Point
PIP Policy Information
Point SAML
Security Assertion Markup Language SOA
Service Oriented Architecture UML Unified
Modeling Language
XACML eXtensible Access
Control Markup Language XML eXtensible
Markup Language
OGC 11-017
Copyright © 2007-2011 Open Geospatial Consortium
7
5.2 UML Notation
The diagrams that appear in this standard are presented using the Unified Modelling Language UML static structure diagram. The UML notations used in this standard are
described in the diagram below.
Association between classes
role-1 role-2
Association Name Class 1
Class 2
Association Cardinality
Class Only one
Class Zero or more
Class Optional zero or one
1.. Class
One or more n
Class Specific number
Aggregation between classes
Aggregate Class
Component Class 1
Component Class 2
Component Class n
………. 0..
0..1
Class Inheritance subtyping of classes
Superclass
Subclass 1 …………..
Subclass 2 Subclass n
Figure 1 — UML notation
OGC 11-017
8
Copyright © 2007-2011 Open Geospatial Consortium
6 Brief Introduction to XACML informative
It is the intention of this chapter to give a brief informative introduction of XACML as defined in [1], before GeoXACML is defined in the next chapters.
A short primer on XACML is available as a Technology Report at the OASIS Cover Pages; see [8] for more information.
The XACML standard can be separated into two main sections, which are introduced in more detail in the following sections: i Policy Language and Authorization Model as
well as ii Information Flow Model.
6.1 Policy Language Model and Authorization
The XACML Policy Language Model defines an XML encoding for expressing general purpose access restrictions and extension points to define your own Attribute Values,
Functions, etc. The entire set of access restrictions defines an XACML Policy. The Policy is structured, according to the following UML diagram see Figure 2.
The top level element is the PolicySet. It can host zero or more PolicySet elements, which can be included inline or by reference. This powerful feature allows the reuse of
pre-defined policy segments as well as the integration of multiple policies.
Each PolicySet element can host one or more Policy elements, which is the container for a set of Rule elements. Inside the Rule element, conditions can be
formed to express complex access restrictions, using the Condition element.
Each PolicySet, Policy and Rule element have a Target element, which can be used to define simple matching conditions for the Subject, Action, Resource and
Environment. This allows the effective structuring of a policy into sub-trees, which eases the maintenance of rights defined in a policy. On the other hand, the simple matching in a
Target element ensures fast decision making, when it comes to deriving an authorization decision.
The flexible matching of Subjects in the Target element supports direct association of access rights to subjects or roles, as defined in the RBAC profile of XACML “Core and
hierarchical role based access control RBAC profile of XACML v2.0”,[6].
In order to derive an authorization decision i.e. XACML authorization decision for a given request, the XACML policy is traversed from the top i.e. PolicySet element to
the leaves i.e. Rule elements. For all matching Rule elements, their Effect i.e. Permit or Deny is taken as the most basic driver for the authorization decision. By
traversing up the policy the effects of all Rules – associated to a Policy element – are combined using the RuleCombiningAlgorithm. The resulting effects of all Policy
elements are matched on the next highest level, until reaching the top PolicySet
OGC 11-017
Copyright © 2007-2011 Open Geospatial Consortium
9 element; the PolicyCombiningAlgorithm creates the final effect of the entire policy,
which represents the authorization decision. The XACML Policy Language defines four different results for the authorization
decision: i Permit, ii Deny, iii Indeterminate and iv NotApplicable. Finally, the process of deriving an authorization decision can result in an error, which is documented
as additional information in the Decision element.
In addition, the decision can be “Permit with Obligation”, which can be expressed in the Obligation element, attached to the Policy or PolicySet element.
1 0..
1 0..
1 0..
Condition Target
Rule
1 0..1
Policy
1 1
Obligation
1
1 1
0.. 1
0..
Action Resource
Subject PolicySet
1
0.. 1
1
Policy Combining
Alogorithm
Rule Combining
Algorithm
1
0.. 1
0..1 1
1
Effect
1 1
Environment
1 0..
1 0..
Figure 2 — XACML Policy Language Model
OGC 11-017
10
Copyright © 2007-2011 Open Geospatial Consortium
6.2 Information Flow Model